网络安全 - Harden CISCO Devices

This document lists all the option that is recommended to help you secure your CISCO IOS system devices,which increases the overall security of your network
这篇文档包含了建议你使用的一些安全选项,旨在帮助你加强使用CISCO IOS系统的设备的安全性,从整体上整体加强网路安全。

service sequence-numbers 
Each system status messages logged in the system logging process have a sequence reference number applied. This command makes that number visible by displaying it with the message. The sequence number is displayed as the first part of the system status message.

service sequence-numbers 

clock set
Generally, if the system is synchronized by a valid outside timing mechanism, such as a Network Time Protocol (NTP) or VINES clock source, or if you have a router with a hardware clock, you need not set the software clock. Use this command if no other time sources are available. The time specified in this command is assumed to be in the time zone specified by the configuration of the clock timezone command. 

clock set hh:mm:ss day month year

clock timezone 
To set the time zone for display purposes, use the clock timezone command in global configuration mode.

clock timezone GMT +8

No Service Password-Recovery
The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.
No Service Password-Recovery是一个加强安全功能的命令,可以阻止任何从 console口连接到路由器的人试图删除密码,而且可以防止修改配置寄存值以及进入NVRAM

no service password-recovery

spanning-tree portfast
Use this feature . the interface,which is connected to an end devices,such as a workstation,Never use the PortFast feature . switch ports that connect to other switches, hubs, or routers. 

spanning-tree portfast

Logging Level
Each log message that is generated by a Cisco IOS device is assigned .e of eight severities that range from level 0, Emergencies, through level 7, Debug. Unless specifically required, you are advised to avoid logging at level 7. Logging at level 7 produces an elevated CPU load . the device that can lead to device and network instability. 
This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to severities 6 (informational) through 0 (emergencies): 

logging trap 6 
logging buffered 6 

No logging console
With Cisco IOS software, it is possible to send log messages to monitor sessions, However, doing so can elevate the CPU load of an IOS device and therefore is not recommended. 
Instead, you are advised to send logging information to the local log buffer, which can be viewed using the show logging command. 
IOS软件可以将log日志发送到屏幕,不过这样会增加CPU负载,所以不建议使用。建议发送日志到log缓冲区,使用 show logging命令可以看到这些日志。

no logging console 
no logging monitor 

Use Buffered Logging
Cisco IOS software supports the use of a local log buffer so that an administrator can view locally generated log messages. The use of buffered logging is highly recommended versus logging to either the console or monitor sessions. 
There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities. This configuration example includes the configuration of a logging buffer of 16384 bytes, as well as a severity of 6,indicating that messages at levels 0 through 6 is stored: 

logging buffered 16384 
logging buffered 6 

Configure Logging Source Interface
In order to provide an increased level of consistency when collecting and reviewing log messages, you are advised to statically configure a logging source interface. For added stability, you are advised to use a loopback interface as the logging source. This configuration example illustrates the use of the logging source−interface interface global configuration command to specify that the IP address of the loopback 0 interface be used for all log messages: 

interface loopback 0
ip address <IP address> <submask>
logging source−interface Loopback 0 

NetFlow identifies anomalous and security−related network activity by tracking network flows. Cisco Express Forwarding (CEF), or distributed CEF, is a prerequisite to enabling NetFlow. NetFlow can be configured . routers and switches.

ip flow−export destination <ip−address> <udp−port> 
ip flow−export version <version> 

interface <interface> 
ip flow <ingess|egress> 

EXEC Timeout
The exec−timeout command must be used in order to logout sessions . vty or tty lines that are left idle. By default, sessions are disconnected after 10 minutes of inactivity.

line con 0 
exec−timeout <minutes> [seconds] 
line vty 0 4 
exec−timeout <minutes> [seconds] 

Keepalives for TCP Sessions 
The service tcp−keepalive−in and service tcp−keepalive−out global configuration commands enable a device to send TCP keepalives for TCP sessions. This ensures that the device . the remote end of the connection is still accessible. 
service tcp−keepalive−intcp−keepalive−out全局命令保证和远端设备的链接是有效的。

service tcp−keepalive−in 
service tcp−keepalive−out 

Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell.
Secure Shell版本2功能可以配置使用Secure Shell

hostname cncrouter 
ip domain-name 
crypto key generate rsa modulus 2048
ip ssh version 2 
ip ssh time-out 60
ip ssh authentication-retries 3
ip scp server enable
ip ssh source-interface fa0/0 (or whatever)
line vty 0 4 
transport input ssh 

Configure Logging Timestamps
The configuration of logging timestamps helps you correlate events across network devices. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use . the device. 
logging timestamps可以帮助你辨别设备事件,配置时间应该精确到毫秒而且必须使用时区。

clock timezone GMT +8
service timestamps log datetime msec localtime show-timezone 
service timestamps debug datetime msec localtime show-timezone 

Login Password Retry Lockout
The Login Password Retry Lockout feature, allows an you to lock out a local user account after a configured number of unsuccessful login attempts. .ce a user is locked out, their account is locked until you unlock it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum. 
Login Password Retry Lockout功能可以使设备锁住一个指定多次内未成功登录的用户。一旦用户被锁住,需要手动解锁。但是拥有级别15的用户是不会被这个功能锁住的,所以拥有级别15的用户必须控制在最少人数。

aaa new−model 
aaa local authentication attempts max−fail <max−attempts> 
aaa authentication login default local 
login block-for 120 attempts 5 within 60

username <name> secret <password> 

No ip mask-reply 
Ensure that the device is not configured to respond to ICMP mask requests. 
保证设备不会响应ICMP mask 请求。
no ip mask-reply

No ip identd
Ensure that the identification service is not enabled.

No ip directed-broadcast
Ensure that the device is not configured to allow IP directed broadcasts . any interface. 
No ip directed-broadcast

No ip route-cache 
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced . a per-destination basis rather than . a per-packet basis. The no ip route-cache command disables fast switching. 

no ip route-cache

Memory Threshold Notifications 
The feature Memory Threshold Notification, allows you to mitigate low−memory conditions . a device. 

memory free low−watermark processor <threshold> 
memory free low−watermark io <threshold> 

Memory Reservation is used so that sufficient memory is available for critical notifications. This ensures that management processes continue to function when the memory of the device is exhausted. 
Memory Reservation用于保证关键的notifications 能有充足的内存。这个功能保证即便设备的内存已经耗尽时管理进程仍然能继续。

memory reserve critical <value> 

CPU Thresholding Notification
CPU Thresholding Notification feature allows you to detect and be notified when the CPU load . a device crosses a configured threshold. 

snmp−server enable traps cpu threshold 

snmp−server host <host−address> <community−string> cpu 

process cpu threshold type <type> rising <percentage> interval <seconds> [falling <percent 
process cpu statistics limit entry−percentage <number> [size <seconds>] 

Reserve Memory for Console Access
Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low . memory.

memory reserve console 4096 

SNMP Community Strings
Community strings are passwords that are applied to an IOS device to restrict access, both read−only and read−write access, to the SNMP data . the device. 
Community strings是应用在IOS设备上的限制只读或者读写访问SNMP数据的密码。

snmp−server community READONLY RO 
snmp−server community READWRITE RW 

SNMP Community Strings with ACLs
In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses. 
除了 community string之外,使用ACL来做更进一步的限制对SNMP的读取。

access−list 98 permit 
access−list 99 permit 

snmp−server community READONLY RO 98 
snmp−server community READWRITE RW 99 

SNMP Views 
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs.
SNMP Views可以允许或者阻止对SNMP MIB的读取。

snmp−server view VIEW−SYSTEM−ONLY system include 

snmp−server community LIMITED view VIEW−SYSTEM−ONLY RO 

SNMP Version 3
SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network. 
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group AUTHGROUP and enables .ly authentication for this group by using the auth keyword: 

snmp−server group AUTHGROUP v3 auth 

This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group by using the priv keyword: 

snmp−server group PRIVGROUP v3 priv 

This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of 
authpassword and a 3DES encryption password of privpassword: 

snmp−server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des privpassword 

Disable AUX
In most situations, the AUX port of a device must be disabled to prevent unauthorized access. An AUX portcan be disabled using these commands: 

line aux 0 
transport input none 
transport output none 
no exec 
exec−timeout 0 1 
no password 

Cisco IOS Software Configuration Management
This example illustrates the configuration of automatic configuration archiving. 

path disk0:archived−config 
maximum 14 
time−period 1440 

Exclusive Configuration Change Access
Exclusive Configuration Change Access feature ensures that .ly .e administrator makes configuration changes to a Cisco IOS device at a given time. 
Exclusive Configuration Change Access可以使得同一时刻只有一个管理员能更改系统配置。 

configuration mode exclusive auto 

Cisco IOS Software Resilient Configuration
The Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device. When this feature is enabled, it is not possible to alter or remove these backup files.
Resilient Configuration使得可能安全的保存系统当前使用的IOS文件和配置文件,当这个功能开启时,就不可能修改或者移动这些备份文件。

secure boot−image 
secure boot−config 

Configuration Change Notification and Logging 
The Configuration Change Notification and Logging feature, makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained . the Cisco IOS device and contains the user information of the individual who made the change, the configuration command entered, and the time that the change was made.
Configuration Change Notification and Logging可以记录配置文件修改的记录。这个logCISCO设备维护,包含谁在什么时候使用了什么命令,做了什么修改。

log config 
logging enable 
logging size 200 
notify syslog 

Unicast RPF 
Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet. 
Unicast RPF使设备能从收到数据的端口验证数据包的源地址是否可达。

ip cef 

interface <interface> 
ip verify unicast source reachable−via <mode> 

IP Source Guard 
IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) . the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.
IP Source Guard使用DHCP snooping信息来动态的配置端口在数据链路层的访问控制,根据IP Source绑定表拒绝任何不在表内的数据流。

ip dhcp snooping 
ip dhcp snooping vlan <vlan−range> 

After DHCP snooping is enabled, these commands enable IPSG: 

interface <interface−id> 
ip verify source 

Port Security
Port Security is used in order to mitigate MAC address spoofing at the access interface. Port Security can use dynamically learned (sticky) MAC addresses to ease in the initial configuration. .ce port security has determined a MAC violation, it can utilize .e of four violation modes. These modes are protect, restrict, shutdown, and shutdown VLAN.
Port Security用于减轻在接入端口上的MAC地址 spoofing。 Port Security可以用于动态的学习MAC地址。一旦端口检测到MAC地址违反规则,就会采取四种违反模式。保护模式、限制模式、关闭端口或者关闭VLAN

interface <interface> 
switchport mode access 
switchport port−security 
switchport port−security mac−address sticky 
switchport port−security maximum <number> 
switchport port−security violation <violation−mode> 

Dynamic ARP Inspection 
Dynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks . local segments.
Dynamic ARP Inspection可以用于减轻本地网段ARP欺骗攻击。

ip dhcp snooping 
ip dhcp snooping vlan <vlan−range> 

Cisco IOS Login Enhancements (Login Block)
The Cisco IOS Login Enhancements (Login Block) feature provides a way for you to better secure your Cisco IOS software-based device against possible malicious connection attempts. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack. 
Cisco IOS登录增强功能提供一个使用软件实现更好的设备安全的方法,阻止可能存在的非善意的链接。使用这种功能后,如果检测到多个失败的链接,可以通过强制“安静时间”减慢“字典攻击”,从而避免路由设备遭受Dos攻击。

login delay 
login .-failure log
login .-success log

Cisco VTP Vulnerability
Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service.
In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port . the switch configured for trunking. Since there is no way to completely disable the VTP, the better way is to set the VTP mode to transparent in all devices and set VTP password as well.

vtp mode transparent
vtp password <password>

Spanning Tree Protocol Root Guard Enhancement
Any switch can be the root bridge in a network. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge.The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.
任何一个交换机都可能成为根交换机。根据标准STP,任何一个拥有更低的bridge Id的交换机都会成为根交换机。管理员不可以通过设置交换机的优先级0来确保交换机的根交换机的地位,但是不能保证出现一个交换机的优先级为0却拥有更低MAC地址的机器。

spanning-tree vlan <vlan num | vlan range> priority 0
spanning-tree guard root

MAC address-table notification
Use the mac address-table notification global configuration command to enable the MAC address notification feature . the switch.
This example shows how to enable the MAC address-table notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries: 
使用 mac address-table notification全局命令打开交换机的mac address notification功能。例子显示了设置间隔时间60秒,历史记录大小为100个。

mac address-table notification
mac address-table notification interval 60 
mac address-table notification history-size 100

Configuring Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host. 
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts . the subnet.

ip arp inspection vlan <vlan num | vlan range>
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
ip arp inspection limit rate 15

We should trust . uplink interfaces by using this command:

interface <interface>
ip arp inspection trust 

Using Authentication, Authorization, and Accounting
The Authentication, Authorization, and Accounting (AAA) framework is critical to securing interactive access to network devices.

aaa new-model 

aaa authentication login default local                                          
aaa authorization exec default local  

As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
Issue the no ip finger global configuration command in order to disable Finger service.

Issue the no ip finger global configuration command in order to disable finger service.
使用no ip finger全局配置命令来禁用finger服务。

no ip finger

Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol.
使用no ip bootp server全局配置命令禁用Bootstrap协议。

no ip bootp server

DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.

no ip dhcp

Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service. 
在端口配置模式中使用no mop enabled命令来禁止MOP服务。

no mop enabled 
Issue the no ip domain−lookup global configuration command in order to disable Domain Name System (DNS) resolution services. 
使用no ip domain-lookup全局配置命令禁止DNS解析服务。

no ip domain-lookup

Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
使用no service pad全局命令,禁用用于X.25PAD服务。

no service pad

Issue no ip domain-lookup configuration command in order to disable Domain Name System resolution services.
使用no ip domain-lookup配置命令禁用DNS服务。

no ip domain-lookup

Issue no service tcp-small-servers no service udp-small-servers global configuration command to disable small services.
使用no service tcp-small-servers no service udp-small-servers全局配置命令关闭一些小服务。

no service tcp-small-servers 
no service udp-small-servers 

HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure−server global configuration command.
HTTP服务可以用no ip http server全局命令,安全HTTPHTTPS)服务可以用no ip http secure-server全局配置命令禁用。

no ip http server
no ip http secure-server

Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from attempting to locate a configuration file . the network using TFTP.
如果Cisco设备在启动的时候不是从网络中得到配置文件,no service config命令必须使用。这个可以阻止Cisco设备试图从网络中得到配置文件。

no service config

Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled . all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping. 
CDP是一个用于发现网络内邻居的协议,CDP可以用于网络管理系统或者在排错的时候使用。如果设备连接着一个不信任的网络,CDP必须关闭。这可以在端口上使用no cdp enable实现或者使用全局命令no cdp run实现。小心CDP可以被不善意的用户用于发现网络拓扑。

no cdp run

Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. In order to disable this feature, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally.
LLDP是一个IEEE协议,在802.1AB中定义。LLDPCDP类似。在端口上使用no lldp transmitno lldp receive命令禁用这个功能,或者no lldp run全局命令关闭。

no lldp run

Other security options
Ensure that the device is configured to not send ICMP redirect messages.

no ip redirect

Ensure that the device is configured to not send ICMP unreachable messages. 

no ip unreachable

Ensure that the proxy ARP service is not enabled . any interface.
确保设备的每个端口上proxy ARP服务都没有打开。

no ip proxy-arp 

Drop all packets with IP options set.

ip options drop
Ensure that the device is not forwarding IP packets with the source routing option in the header.

no ip source-route 

Turn off UDP broadcast.

no ip forward-protocol

Security passwords min-length, To ensure that all configured passwords are at least a specified length.

security passwords min-length length 

Security authentication failure rate, To configure the number of allowable unsuccessful login attempts. 

security authentication failure rate <threshold-rate> log 

Limiting Messages to a Syslog Server.

logging trap level 
Disable no gratuitous ARP request.

no ip gratuitous-arps 

Turn VLAN1 off.
关闭VLAN 1

interface vlan 1

Set encapsulation . all trunk ports

switchport trunk encapsulation dot1q

Set all trunk ports to no channel-group
trunk端口设置no channel-group

no channel-group

Disable IP Source Routing

no ip source−route 

本文转自 justiceplus 51CTO博客,原文链接:,如需转载请自行联系原作者
安全 大数据 SDN
Orange Business Services 与思科携手实现 SD-WAN 网络功能虚拟化
在Cisco Live 欧洲大会上,Orange Business Services 展示了它的下一代全球 SD-WAN 技术,首次装载了虚拟网络功能(VNF)的思科SD-WAN技术应用于思科企业网络计算系统(ENCS)。
1371 0
JavaScript Shell iOS开发
JavaScript Shell iOS开发
数据安全/隐私保护 网络架构 内存技术
数据安全/隐私保护 网络架构 网络虚拟化